- A set of Ansible roles for CentOS and Debian hosts that provides users with the option to deploy Lynis, run a system audit and remove the audit tool.
- Deploy -
centos_lynis.yaml
anddebian_lynis.yaml
playbooks will install the latest version of Lynis available. - Audit -
lynis_run.yaml
playbook conducts a standard system audit using the default profiles that come with Lynis. Once the audit is completed, a task will fetch the results file on the hosts/var/log/lynis.log
and provide a copy under alynis_audit_results
directory for review (the directory will be created if it does not exist under the playbook directory). - Remove -
centos_lynis_remove.yaml
anddebian_lynis_remove.yaml
will remove Lynis from the hosts where it is deployed.
- Deploy -
- For reference, below is a demonstration of how the directory structure of
lynis_audit_results
will look like after a number oflynis_run.yaml
playbook runs at different time intervals.
.
├── <INVENTORY_HOSTNAME_001>
│ ├── 2021-07-25T11:59:10Z-CentOS-8.4
│ │ └── lynis.log
│ ├── 2021-07-25T12:02:15Z-CentOS-8.4
│ │ └── lynis.log
│ ├── 2021-07-25T12:04:52Z-CentOS-8.4
│ │ └── lynis.log
│ └── 2021-07-25T12:07:18Z-CentOS-8.4
│ └── lynis.log
└── <INVENTORY_HOSTNAME_002>
├── 2021-07-25T11:59:10Z-Debian-10
│ └── lynis.log
├── 2021-07-25T12:02:15Z-Debian-10
│ └── lynis.log
├── 2021-07-25T12:04:52Z-Debian-10
│ └── lynis.log
└── 2021-07-25T12:07:18Z-Debian-10
└── lynis.log
- Debian and/or CentOS Stream host(s) that the playbooks will be run against.
lynis
,python3-apt
,apt-transport-https
,ca-certificates
,gpg
,curl
,nss
,openssl
ansible-vault
- [optional] - can be used in thedebian_ssh.yaml
orcentos_ssh.yaml
playbook to encrypt and store sensitive data "at rest".- In this use case, the
ansible_sudo_password
variable, which is used as the privilege escalation password, is stored in a vault. - Once the secret has been created and added to the playbook, in order for a user be able to become
sudo
to run the playbook, they will need to decrypt the vault to access the variable. - This can be achieved by passing one of the following flags listed below when executing the the playbook;
--ask-vault-pass
--vault-password-file
- Below is a demonstration of how the encrypted variable is defined in the playbooks;
- In this use case, the
---
# playbook for the lynis_run role.
- hosts: centos_hosts:debian_hosts
vars_files:
- become-secret
become: true
roles:
- lynis_run
- For more information on how to create encrypted variables, review the official
ansible
documentation.
- Tested on;
debian-10
,centos-8-stream
- Note - For the audit task to run a full check,
root
privilege escalation is required and is acheived through thebecome:yes
directive.- To review the task, check the
/roles/lynis_run/tasks/main.yml
for more details.
- To review the task, check the
# clone the repository
$ git clone [email protected]:hubvu/lynis-ansible.git
# navigate into the directory
$ cd lynis-ansible/
# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-vault-pass \
--verbose
# run the playbook `lynis_run.yaml` with verbosity
$ ansible-playbook lynis_run.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# review the `lynis_audit_results` directory for the audit results.
$ cd lynis_audit_results
$ tree
$ cat /<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/lynis.log
- Contribution guidelines for this project can be found in the Contributing document.
- Licenced under the MIT License.